"My phone is still not able to access the Town Square threads and shows Guy Fawkes or error messages."

Try the reload feature on your phone browser. If that doesn't fix it, clear the browser's cache (i.e., its old content). You may have to delete all old content to do this, depending on your browser.

I tried repeatedly to reply to that post and every attempt failed - the question just disappeared with the page refresh after submission. Pretty obvious that PAO doesn't want anyone to be able to respond to that article.

My question was to confirm (per the article) that PAO saves user login passwords in clear text, hence making every user login subject to hacking, and worse, jeopardizes any logins of people that use the same password at any number of the hundreds of internet site logins.

Due to repeated violations of our Terms of Use, comments from this poster are automatically removed. Why?

They are still not telling us what user data was stored on their computers and how well encrypted it was.

Thanks for the help. I am now up and running.

Couple of questions though.

The Almanac and Voice are both allowing posts to the news item and even the editor of the Almanac is replying to a comment. So why can't we comment here? All comments on both sites are thoughtful and supportive so I don't see any reason why this should not be locked from the start.

Should all registered users be worried about this? I now have another reason to not register to this or any other website. I am one of those people who hate registering for anything online, shopping online, or anything else. Identity theft is a big problem to anyone who gets caught and my personal feeling is that the less of a footprint I leave on the internet the safer I am. Is there truth in this?

Lastly, I see no reason why big time hackers should be worried about such small and incidental newspapers. They are valuable to us as locals, but in the big picture of things our little concerns can't be worth the effort. So my question here is whether this is a rehearsal or practice run for a much bigger news entity such as CNN, Reuters or Associated Press?

Since the FBI are involved, there must be more than they are disclosing.

@Resident,
I'm concerned hearing the above comments, because I've read TS for a long time and the problem of not being able to post to threads when the "Post a comment" is enabled happened only in the run up to the hack, for maybe 2 weeks or so. I'm concerned that it is somehow related. What would happen is that a few comments would be allowed and then nothing. If you tried to post to a lot of threads (not all), the posts would simply disappear. My experience was that it would happen from any computer or device and whether you were logged in or not. My posting a thread on the issue twice was taken down completely without a trace. Usually the Weekly will say something has been deleted, although not always, so I assumed it was just heavyhanded moderating.

I'm more worried about what might have been happening unbeknownst to the Weekly before the site was taken down, for example if those posting problems were part of the hack. Hearing that other people are noticing the same problem that I complained about before the hack (and was taken down) makes me worry that something is still wrong or vulnerable with the site. I am also concerned about the registration being unencrypted.

The hacks you really have to worry about are the ones you never know about. I complained to the school district that more than one time our information on infinite campus registration disappeared, and in its place, someone inserted information that couldn't have been accidental. Since it was funny, the district person laughed, but then said there was no evidence of any security issue or breach. No evidence?! The data inserted was evidence! If everything was missing, that's evidence of a problem. If funny data you didn't insert yourself is there, that's evidence of a breach. Nothing was ever done about it. Some Schoology issues were handled even less well. (Note to hackers: if you leave funny information behind, it's as good as leaving without a trace in our district I suppose. That person is no longer with the district but went to work for the government, pre-OPM breach.)

I'm sorry for the minimal information we are providing at this time about the various issues that have been raised. The FBI and police have asked us to not go any further in our comments about the hack at this time so that their investigation can proceed without details being made public. We realize this is frustrating for those of you who wish more information, but please bear with us. If you have information that you think would aid the law enforcement investigations or us, please email them to me at bjohnson@paweekly.com or phone me directly at 650-223-6505. The various oddities you may have noticed on Town Square are known to us and will be fixed soon. Thanks for your support and understanding.

Thank you for your comments Bill. I'm sure you and your staff have a lot to deal with and we are all appreciative and supportive, and hope the perpetrators will be caught.

"Since the FBI are involved, there must be more than they are disclosing."

Was the hack just taking down the sites, or was it also looking through the Weekly's computer systems (since the article says the user info may have been/was? accessed but not taken?) - could someone have been looking to see if the Weekly had story info on something? Given the possibility that the hack may not be consistent with anonymous' typical hack, one wonders if someone was trying to see if the Weekly has information. (And when they were caught/suspected, put up the hack page?) Of specific concern: could the hackers have had access to emails or confidential journalistic source information?

"My question was to confirm (per the article) that PAO saves user login passwords in clear text, hence making every user login subject to hacking, and worse, jeopardizes any logins of people that use the same password at any number of the hundreds of internet site logins."

People using only one password for all their logins should know better. It makes it likely that one will eventually be hacked, regardless of what happened or not at Embarcadero Media. These tips might help:

Web Link

Web Link

If you have a web-based email account, use two-factor authentication. Plenty of additional information is only a Google search away. Mr. Johnson, why don't you put such information in print? The way people are fretting here, it sounds like they could benefit from an article or two on the subject.

When I ran into this problem the system gave options as to how to access data - none of which worked. Now I am concerned that some hack is tracing back to an email account which would provide the hacker a route to individual computers.
I think I need some feedback on that - the email account if tied to your individual system and since you have already logged in then the door is open.

@resident 1, if you are concerned that your email account was compromised, try changing the password on your email account, changing the challenge question(s), and enabling two-factor authentication. That should keep any unauthorized individuals out of your email account. If you are uncertain as to how to do this or what these things are, get someone who is well versed in computers to assist. OK, that should take care of the "hack is tracing back to an email account" concerns.

"which would provide the hacker a route to individual computers"

Having your email account password won't automatically give someone access to your computer.

@Bill Johnson, here is your chance to turn lemons into lemonade. I know you must be crazy busy now dealing with the web break-in fallout. Perhaps rather than an article or two, it would be a good idea to have a regular column about basic computer security and usage. There seems to be a lot of worry and need for such information, and your publications and website would be the perfect venue. Listing local resources for computer tech support would also help.

@ Kazu - if PAO stores passwords in plaintext, which would be pretty shoddy, they have the responsibility to tell everyone so people know to take quick action.

Their login process is already insecure (uses http, not https) so i wouldn't be surprised if they also failed to secure passwords.

The Forum system is the worst of all worlds - anybody can post and thus access the system but registered users are required to provide a lot of personal information which is then clearly available to a hacker.


What assurances can the Weekly give registered users that this information has not been stolen?

If it has then will the Weekly provide fraud alert protection to its registered users?

@Slow Down, I agree it would be very bad practice indeed if the passwords were/are stored in plaintext. The concerns of registered users voiced here are quite understandable and reasonable.

I am not sure what "quick action" people would take that they would not do otherwise. Given that security might be iffy, it makes sense to assume the worst and act accordingly. As for releasing further information, it seems Embarcadero Media's hands are tied:

"The FBI and police have asked us to not go any further in our comments about the hack at this time so that their investigation can proceed without details being made public."

Every responsible organization alerts its users if their personal data has been put at risk and there is no FBI policy that precludes them from doing so.

The financial and reputation costs of not doing so are huge.

It would seem to me that the the *additional* risk of someone's posting fake messages under your registered identity while using a password gathered from the hack is minimal. And if your PA Online password is different from your email password I think the risk of email mischief is minimal.

But what do I know? The alert in the original article--"He (Embarcadero President and CEO Bill Johnson) advised readers who are registered users to change their passwords and, if they use the same password on other sites, to change all of them."--sent me looking for a way to change my Town Square password. Haven't found it yet. Any suggestions?

"The Forum system is the worst of all worlds - anybody can post and thus access the system but registered users are required to provide a lot of personal information which is then clearly available to a hacker."

Only those incautious innocents who registered their actual name, home address, email, phone number, etc., need worry.

Myself--I shall sleep like a baby tonight, and tomorrow night, and ... .

The problem is pervasive. My Sister's Facebook was hacked and someone was asking for donations through her Facebook as though it was her. My son caught it and called her - she was unaware that was happening.

There is no end to stories of people getting invaded and misrepresented on these systems - any systems.

> The Forum system is the worst of all worlds - anybody can post and thus access the system but registered users are required to provide a lot of personal information which is then clearly available to a hacker."

Great job at disproving your own argument.

When you realize that the way the internet is designed, as well as
the systems on it, there will be hacking attacks until it is redesigned.
This is not just a problem with forums as the recent Chinese hacking
scandal has shown.

Only yet another in a series of nags about forcing people to identify
themselves. Not a good idea as you now have convinced yourself.

Have you ever seen how people react to ideas they do not like
on the Internet, and how that can endanger both free expression
and people's safety? People get fired or forever branded by saying
one wrong thing without thinking. In a forum where you want people
to be free from that "chilling effect" and readers to take what people
say on logic instead of name or authority, anonymity is the way to go.

Finally, just because you can go to a website does not mean you have
"access" to it what ever is meant by that phrase.

Did this happen again the other day because the site seemed to be
down for a period?

Registered User ...
>> sent me looking for a way to change my Town Square password. Haven't found it yet. Any suggestions?

If you have a Mac, there is this thing called the Keychain that is
perfect for non-critical sites like this. I am sure they are analogs
for other OS's as well.

When you register for a site, keychain comes up with a password
for you automatically that is the messiest looking hardest to remember
or crack series of characters you could imagine.

Then when you go to login keychain pre-filled the login and password
fields with these encrypted saved values. Very easy and convenient.

I would only use it for non-shopping or banking sites, obviously, but
it works well. using iCloud you can have this data fanned out to your
other devices too, but I don't know how secure that is so I would not
yet recommend it. Maybe someone else can speak to that.

"Every responsible organization alerts its users if their personal data has been put at risk and there is no FBI policy that precludes them from doing so."

I agree completely. Surely such notifications sent out, no?

@Plane Speaker

"In a forum where you want people to be free from that "chilling effect" and readers to take what people
say on logic instead of name or authority, anonymity is the way to go."

If Town Square's site management agrees with you that using online handles instead of real names is "best practice" in the domain of online commenting, it should recommend, if not mandate, anonymity to remove confusion over whether actual names are preferred.

I need a reminder of the benefit of registration for would-be posters. With the hack, security concerns came not from posters using their own names, but from having registered their names. That's what wound up exposing them to whatever level of risk there is.

@Plane Speaker

Sorry, I forgot to thank you for sharing your ideas about using Keychain for dealing with password issues. I do use Apple products but my Town Square password isn't accessible for modification through Keychain.

"Surely such notifications sent out, no?"

Look, Mr. Johnson, just assure these pilgrims their data were totally hacked and they'll be satisfied. Never mind the truth, just tell them what they want to hear. I know it's perverse, but with some folks it's the only acceptable option.

I received SPAM to a Username that I only use on PAW, to an email account linked to this logon.

I reported it to PAW IT voicemail as soon as I saw the mail. I never got a callback.

Not good. Any breach needs to notify users immediately so there is awareness of the potential outfall.

Dear Forum Managers,
Was the personal data of registered users compromised in this hacking incident?